u/TurbulentRecover7247

Is this real business logic flaw?

While testing a domain, it offers a variety of contests to participate in, but the user must enter italian id to claim money after winning. When entering the contest, it asks you to enter the address, phone and italian tax id, after adding these, it uses italian id to check whether this user is already participated using another account. Here is the issue. I didn't verify the italian id and I was successfully contested and i lost, it is not an issue here, the real issue is I am able to change my italian id, anytime using the past request, and also I can create thousands of accounts with fake italian ids to participate in the contest. This has an impact on business right?. Even though fake italian id, cant get actual money(assumption) if the fake id won, then the fairness of the contest is broken here right? It didn't verify the italian id during the contest and after the contest too. After completing the contest, I got lost, and I had 2 more chances. Legitimate accounts have 3 tries. That's all I think. Any triager or hacker suggests me? Can I submit this?

reddit.com
u/TurbulentRecover7247 — 11 hours ago

Administrator manual exposed, reportable?

Hi, in a target, which uses Drupal, I ran fuzzing on nodes and I found a node containing admin handbooks, where It show all paths and all actions for an administrator with images, does it mean to be public? Literally full documentation on the admin panel with the respective admin endpoints. Is it reportable? Can any triager clarify me about this? Is it reportable? If you want further information for concluding, ask me. Thank you

reddit.com
u/TurbulentRecover7247 — 22 hours ago

Triager ignored my High severity report

I submitted a dom-xss report, i done this using redirect uri parameter in the url. It was exploitable due to the poor coding of js. I saw the function, which triggers the redirect. But here it only checks if it's a string. Nothing more, loads any url passed to the redirect uri. And script gets executed. I made dom-xss poped up. And also made using this to load a phishing page into the original target website. Making them to enter email and password again, which can be received by the hacker. I reported on hackerone and they didn't clearly see the js code. I was not able to steal because I don't have valid credentials. But according to the function, it checks only if the user is authenticated, and if so, triggers whatever in the redirect uri parameter. Hay hackerone triager here to help? It's been a week and not mediator request option available. Any solution?

reddit.com

CORS Misconfiguration

I encountered a cors in a target website using wordpress, I added evil.com in origin header and it reflected. I tried using my netlify to make request, but I got encountered by cloudflare waf. Still reportable? Because if there is XSS found in future, this can be used by the hacker right? The response header reflected the evil.com for access control allow origin, and access control allow credentials: true. Any experts or triager can suggest anything? Blocked by waf, means it didn't block, but runs bot detection with 403 error. Any idea to bypass waf, if I can bypass waf, my exploit will run perfectly. Thanks for your response.

reddit.com
u/TurbulentRecover7247 — 2 days ago

I got leaks of coveo api internal server sitecore usernames, will it be under considered as PII leaks?

I found a coveo api used by the target website, and managed to leak data, I got internal CMS architecture, internal template and GUIDs with static and generic pages, Employee PII - it seems internal active directory/sitecore usernames and got an username with the word "admin" in it. Is it reportable? I was also able to enable the debug, which showed all debugs as a response of a massive json. And I am unauthenticated. I am still trying to chain this to push this to a high bug, but it keeps going narrow, if I get stuck, is this reportable? Share your experience and suggestions on submitting these findings as a report.

reddit.com
u/TurbulentRecover7247 — 6 days ago